- main branch (latest)
- Open a private security advisory (GitHub → Security → Report a vulnerability), or email the maintainer.
- Include steps to reproduce, environment, and potential impact.
- Read‑only API design, policy enforcement, rate limiting, admin auth/CSRF.
- Write operations or authorization beyond defined row filters.